Skip navigation

In a recent podcast interview (The Social Engineer podcast, run by Chris Hadnagy and his team) the topic of DerbyCon came up, and naturally all participants enthusiastically recommended that the listeners attend.  During this chatter, I spouted the oft-heard remark “DerbyCon is the new DEFCON” (a phrase that I didn’t originate but which I have been heard to utter from time to time) and all heads nodded.

In some follow-up on Twitter with nick8ch, we realized that this is a perhaps-controversial phrase and could benefit from some clarification.  So here goes…


“DerbyCon is the new DEFCON” – This is not to denigrate or snipe at DEFCON in any way.  I love that massive Vegas hacker gathering and will keep attending forever.  However, the size of DEFCON and the fact that it’s no longer in small (often seedy) hotels means that having intimate and casual meetings with close friends is challenging and also some antics are harder to pull off than they used to be.  You don’t find yourself just chatting in hallways or hanging out on the hotel roof anymore like was the norm in the past at DEFCON.  DerbyCon, however, has a very very high signal-to-noise ratio and it’s held at a much smaller venue than DEFCON.  Many of the old guard are present, as are enthusiastic up-and-comers.  Folk chill in the lobby bar and it’s not uncommon to see massive penis art in the elevators.  DerbyCon most closely captures the vibe, in my opinion, of the earlier days of DEFCON… but, of course, in truth nothing could ever really be equivalent to that particular place and time in history.  And what’s more, DerbyCon has developed their own wonderful and unique energy that is distinct and vibrant in its own right.

IMG_20140927_225252this kind of thing you just don’t see at on-strip hotels at DEFCON anymore


“DEFCON is the new Black Hat” – This is also a slightly questionable statement, but one that sometimes follows the previous one.  Why?  Well, while DEFCON used to be 100% focused on the friends you knew who were there and the antics/catching-up you could do with them, now there’s a much more significant element of going to DEFCON in order to see people whom you don’t know.  The idea of rubbing shoulders with the latest INFOSEC rockstar or, similarly, getting your research out in front of people who might hire you or invest with you… those are very BlackHat-ish elements that now are common at DEFCON.  I’m not saying that what makes DEFCON great isn’t still there… but there’s a new vibe.  As someone like SpaceRogue or SimpleNomad would say, “the Money that has changed the industry has found its way into DEFCON.”  People take specific steps to “be seen” and portray their efforts at DEFCON in a way that could positively affect their business the rest of the year.  In the past, you went to DEFCON with a “don’t give a damn” attitude about the fact that it could negatively impact your professional reputation the rest of the year.  😉

blah05this is what a “DEFCON party” used to look like

blah06who else remembers the purple fountains? think this could happen at a Caesar’s property?

blah07before it was an official, professional event… the Wall of Sheep was just people being d0x’d or having creds dropped on paper plates on the wall of the hotel

blah08poolside fun and general chill.  i can’t remember the last time i could just chill out at DEFCON.  well, maybe at the Beer Cooling Contraption Contest ever since Uncle Enzo took it over.  😉


“Black Hat is now RSA” – Even more folk might agree with this somewhat unfortunate turn of events.  Full Disclosure: i still appear at Black Hat since my company trains there.  Most of my friends’ companies also train there.  However, the event has ceased to be about the hacker community in any real way other than name only.  Much of the best information is still there, yes.  But the community feel is not.  Put another way: when is the last time you stuck around at Black Hat in the evenings to go to any of the parties?  For me, it’s been years.  Plenty of sponsors host parties when Black Hat is in town, but now the whole INFOSEC core community is either at BSides or the 303 house or just gearing up for DEFCON itself.  Black Hat’s pricing has continued to grow and scale upward with the influx of money in the industry and this has made it a lot harder to find smaller voices among that crowd.  Black Hat was never an event where folk would streak naked into pools or wander through DJ-pumping halls high on a galaxy of drugs, but even those of us who have been appearing there for years know that it’s somewhat more “corporate” nowadays.  The size of the vendor expo area has grown as much as the admission price… but it’s not going away any time soon.  Hence, the RSA comparison.

blah04Black Hat… way back when.

“So if Black Hat is now RSA… What has RSA become?” – COMDEX.  RSA is now COMDEX.  It’s 100% trade show, and any “talks” or other speeches are little more than veiled sales pitches.   A giant sea of marketing with little to no real value to anyone who is key to the industry, most INFOSEC pros whom I know now avoid RSA like the plague.  Confession: when our company was still new, we did a brief presentation at RSA.  It was one of the saddest things I’ve ever been a part of.  I felt like we were just one more piece of a massive dog-and-pony show.  Besides the event itself having awful security and the participants having awful OpSec and privacy practices, the whole affair just reeked of circle-jerk.  I am sure that I’ll piss some people off here and maybe one day I’ll pay the price for that professionally… but perhaps that’s just the old-DEFCON side of me showing through.  🙂

blah01we used a FedEx Kinko’s to mod our badges for access outside of regular hours. we did this at the on-site FedEx, right on that floor of the hotel.  no one noticed or seemed to care.

blah02i can’t even.  “prevents tampering, spoofing, & hacking” … well alright, then.  seems legit.

blah03even Babak couldn’t believe we were there, talking to this goofball 


Feel free to share your thoughts below in comments or just share a drink with me when you see me.  I’ll be at DerbyCon in the fall.  And DEFCON before that… but you can’t find me for so much as a free second at that event.  😉





  1. I could go point by point or sing praises here n there. I could preempt the almost certain aggressive defense that may come from people calling the ugly baby ugly…. but there is no use. I agree with almost every bit of this. Names are a conference. A reference of success, failure, size, feel etc. They are not something that means it is EXACT but conveys a general vibe.
    Dat COMDEX COMMENT DOE….. $$Priceless$$

    for any of you that are gonna bitch and moan about the defcon comments…. DO SOMETHING ABOUT IT. PROVE THAT IT IS YOURS. The Debauchery and pranking that used to go on in good fun has devolved into bullshit trolling and attacks that actually harm people. Bring back the elevators full of payphones… the late night Hallway raids, the fake party badges, the dis info….. bring back the community and fun…. get your face split open in a moshpit by a giant dong and go play capture the flag and bleed on the keys.

  2. Fantastic write-up!

Leave a Reply

Your email address will not be published. Required fields are marked *